Darkhotel Malware (APT) Virus Threat

VIRUS DEFINITION

Virus Type: malware, advanced persistent threat (APT)

What is the Darkhotel Threat?

The latest virus threat attack, called 'Darkhotel', has been analysed by Kaspersky Lab’s Global Research and Analysis Team. The Darkhotel threat appears to be a combination of spear phishing and dangerous malware designed to capture confidential data.

Cybercriminals behind Darkhotel have been operating for almost a decade, targeting thousands of victims across the globe. 90% of the Darkhotel infections we have seen are in Japan, Taiwan, China, Russia and Korea, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland

Virus Threat Details

How does the Darkhotel threat work?

This campaign is unusual in that it employees varying degrees of malicious targeting.

(1) Spear Phishing

At one end of the spectrum, they use spear-phishing e-mails to infiltrate defense industrial bases (DIB), governments, NGOs, large electronics and peripherals manufacturers, pharmaceutical companies, medical providers, military-related organizations and energy policy makers. The attacks follow the typical spear phishing process with thoroughly disguised Darkhotel implants. Email-lure content often includes topics like nuclear energy and weaponry capabilities. Over the past several years spear phishing emails have contained an Adobe zero-day exploit attached or links that redirect targets’ browsers to Internet Explorer zero-day exploits. Their aim is to steal data from these organisations.

(2) Malware Delivery

At the other end of the spectrum, they spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. The malware is delivered as a part of a large RAR archive that purports to offer sexual content, but installs a backdoor Trojan that gathers confidential data from the victim.

(3) Infection

In an approach that lies somewhere between these two, they target unsuspecting executives who are traveling overseas and are staying at a hotel. Here the victims are infected with a rare Trojan that masquerades as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger. This first stage infection is used by the attackers to qualify their victims and download further malware to the computers of more significant victims, designed to steal confidential data from the victim's computer.

Based on a string within the malicious code, it appears that the threat points to a Korean threat actor as source of origination.

What is the significance of Darkhotel?

Notwithstanding the technical sophistication of many targeted attacks, they typically start by tricking individual employees into doing something that jeopardises corporate security. Staff with public-facing roles (e.g. senior executives, sales and marketing personnel) can be particularly vulnerable, especially since they are often on the road and are likely to use untrusted networks (e.g. at hotels) to connect to a corporate network.

Features of the Darkhotel Campaign

The gang uses both targeted attacks and botnet-style operations. They compromise hotel networks, then stage attacks from those networks on selected high profile victims. At the same time, they use botnet style operations for massive surveillance or to perform other tasks, such as DDoS (distributed Denial of Service) attacks or to install more sophisticated espionage tools on the computers of particularly interesting victims.

Use of zero-day exploits targeting Internet Explorer and Adobe products.

Use of an advanced, low-level keylogger to steal confidential data.

Malicious code signed using stolen digital certificates.

A persistent campaign – Darkhotel has been operating for almost a decade.

How can I prevent a Darkhotel attack?

Although total prevention can be challenging, here are some tips on how to stay safe when travelling.

If you plan on accessing public or even semi-public Wi-Fi only use trusted VPN tunnels